The National Institute of Standards and Technology (NIST) Cybersecurity Framework Implementation Tiers are one of the three main elements of the Framework - the Framework Core, Profile, and Implementation Tiers. The implementation tiers themselves are designed to provide context for stakeholders around the degree to which an organization’s cybersecurity program exhibits the characteristics of the NIST CSF. NIST explicitly states that the CSF Implementation Tiers are not designed to be a maturity model. Instead, these management tiers are designed to illuminate and provide guidance to the interaction between cybersecurity risk management and operational risk management processes. In short, the NIST Cybersecurity Framework Tiers are designed to provide a clear path to roll cyber risk into the overall organizational risk of the enterprise. Much like the Profiles and the Framework Core, the Implementation Tiers are designed to act as a benchmark to take stock of current cybersecurity risk management practices and help organizations develop plans to improve their cybersecurity posture. In this post, we’ll explore each of the four Implementation Tiers as you work to understand how your organizational structure might fit in this scoring model.
Each of the Implementation Tiers is broken down into three main components: Risk Management Processes, Risk Management Program, and External Participation with their own respective functions, categories, and subcategories. Risk management processes point to the processes and ways that the organization approaches cybersecurity risk. The degree to which an organization practices an integrated risk management program indicates to top level management the degree to which an organization has centralized its cyber risk data and can make decisions from that information. With strategic planning, leadership can make cybersecurity decisions in conjunction with the company's overall goals and objectives. Finally, external participation points to the organization’s awareness within the greater business ecosystem in which they participate.
NIST Cybersecurity Framework Implementation Tiers
Tier 1 - Partial
- Risk Management Processes: At Tier 1 organizations, cybersecurity risk management is typically performed in an ad hoc/reactive manner. Furthermore, cybersecurity activities are typically performed with little to no prioritization based on the degree of risk that those activities address.
- Integrated Risk Management Program: The lack of processes associated with cyber risk management makes the communication and management of that risk difficult for these organizations. As a result, the organization works with cybersecurity risk management on a case-by-case basis because of the lack of consistent information.
- External Participation: These organizations lack a greater understanding of their role in the greater business ecosystem - its position in the supply chain, dependents, and dependencies. Without an understanding of where it sits in the ecosystem, a Tier 1 organization does not share information with third-parties effectively (if at all) and is generally unaware of the supply chain risks that it accepts and passes on to other members of the ecosystem.
Tier 2 - Risk-Informed
- Risk Management Processes: Risk management practices, while approved by management, are typically not established as organizational-wide policies within Tier 2 organizations. While risk management practices are not standard, they do directly inform the prioritization of cybersecurity activities alongside organizational risk objectives, the threat environment, and business requirements.
- Integrated Risk Management Program: The awareness of cybersecurity risk exists at the organizational level, but it is not standardized organization-wide, and the information around cybersecurity is only shared informally. While some consideration for cybersecurity exists in organizational objectives, it is not standard. A cyber risk assessment may occur, but it is not standard and periodically repeated.
- External Participation: Tier 2 organizations understand either their role in the ecosystem in terms of dependencies or dependents, but not both. Organizations like this typically receive information but do not share it out, and while they’re aware of the risk associated with their supply chain, they do not typically act on it.
Tier 3 - Repeatable
- Risk Management Processes: Tier 3 organizations have formally approved risk management practices, and are expressed as policy. These practices are regularly updated based on changes in business requirements and changing threat landscape.
- Integrated Risk Management Program: In this tier, there is a higher-level organization-wide approach to managing cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented, and reviewed. There are methods in place to consistently respond effectively to changes in risk, and personnel possess the knowledge and skills to perform their roles. Senior cybersecurity, board of directors, and business-side executives communicate regularly regarding cybersecurity events and risk.
- External Participation: Tier 3 organizations understand their role in the ecosystems and contribute to the broader understanding of risks. They collaborate with other entities regularly that coincide with internally generated information that is shared with other entities. These organizations are aware of the risks associated with their supply chains and act formally on those risks, including implementing written agreements to communicate baseline requirements, governance structures, and policy implementation and monitoring.
Tier 4 - Adaptive
- Risk Management Processes: These organizations adapt their cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive factors. They implement a process of continuous improvement - including incorporating advanced cybersecurity technologies and practices, actively adapting to a changing threat and technology landscape.
- Integrated Risk Management Program: Building on Tier 3, Tier 4 organizations clearly understand the link between organizational objectives and cybersecurity risk. Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. These organizations base budgeting decisions on an understanding of the current and potential risk environment. Cybersecurity risk is integrated into the organizational culture and evolves from an awareness of previous activities and continuous awareness.
- External Participation: Integrating itself further into the ecosystem beyond Tier 3, Tier 4 organizations receive, generate, and contribute to the understanding of the ecosystem around risk. Further integration of sharing information to internal and external stakeholders, the organization uses real-time information to understand and regularly act on supply chain risks. They also have a formalized process integrated into their documentation wit their dependencies and dependents.
What The Implementation Tiers Mean for You
As we’ve discussed, the NIST CSF Implementation Tiers are not meant to be seen as a maturity model. Instead, look at these as benchmarking tools and clear directions to improve how your organization approaches cybersecurity. Seek out NIST CSF assessment solutions that enable you to score using the Implementation Tiers; this enables you to score your organization as you complete an assessment rather than after the fact. From there, it is a matter of illustrating your findings clearly and compellingly, soliciting buy-in from all relevant stakeholders, and using the CSF to make progress towards your goal Tier.